With all the news
about viruses and hackers destroying company networks and crashing
computer systems, many small-business owners are left wondering
when their business will be affected. Fortunately, there are
precautions that can be taken. In The Complete Guide To Internet Security by
Mark S. Merkow and James Breithaupt, you'll find everything you
need to know to create a solid security plan and protect against
no-good hackers and infectious viruses. Read on as Merkow discusses
approaches to Internet security, tips on protective measures and
how exactly a hacker attempts to wreak havoc on your site.

Entrepreneur.com: What kind
of a security policy should an online business set up?

Mark S. Merkow: There are
two approaches to security: Prohibit everything that isn't
expressly allowed or permit everything that isn't expressly
denied. Universities and other types of academic organizations
adopt the latter one because it's more reflective of an open
network. But a business absolutely must adopt the first
one-prohibit everything that is not expressly allowed. What that
means is [you have to] look at the entire operation, wherever
there's Internet traffic coming in, and carefully decide what
services you want to make available on network devices.

"What
you're protecting against are people looking for
vulnerabilities. They're looking for ways to attack where the
corporate jewels reside-that's typically in the database
systems."

For example, file transfer protocol has a lot of known
vulnerabilities and if it's not needed or it's only needed
rarely, it should be turned off. The same goes with other services
like network file system (NFS), which has a lot of known problems.
If it's not being used throughout a particular area of the
network, then turn it off. Carefully review everything,
business-processwise, to determine what's safe to do and
what's risky. Once you decide on that, you can look at
protective measures.

Entrepreneur.com:
Where's the best place to start? What's the first thing you
should probably address when setting up your security policy?

Merkow: Start with a review
of all the major components of the work that you do. This will vary
by type of business. For example, let's say you're a
wholesaler of goods that are purchased and resold. Then you would
look at the order entry process very carefully to see what kind of
traffic is permissive for that type of requirement through the
Internet-the shopping and buying aspects. Then you need to look at
where that payment data is going as well as the data moving into
shipping systems, accounting systems, accounts payable systems and
so on. Basically, it's end-to-end. Start at the beginning, and
look very carefully at every step along the way where data is
flowing.

Entrepreneur.com: What kinds
of things should business owners protect against and how do they do
this? What tools would they use?

Merkow: What you're
protecting against are people looking for vulnerabilities.
They're looking for ways to attack where the corporate jewels
reside-that's typically in the database systems. A hacker will
look around for the publicly accessible Web areas, and then start
poking holes to see what else is happening on the network behind
it. As they find interesting things to do with that or interesting
places to search, they'll start to take over a box and raise
their privileges until they get to the point where they're
system administrator on that particular server. Once they gain
control of that, they basically have access to everything on that
network, and everything on that network becomes vulnerable. What
they're really looking for are credit card records or other
valuable data that they could use to exploit, sell or to simply
prove they were able to do it.

To avoid this, you must first understand what those threats are.
A lot of people are unaware of or ignorant to the fact that there
are a lot of nasty people out there looking to do bad things. So it
begins with an awareness of that, and then there's several ways
to use technology and network architecture to prevent most problems
from occurring-basically nipping them in the bud at the firewall so
nothing that is not permitted can come into the network.

Entrepreneur.com: How do
small-business owners put these things up on their site? Usually
the typical small-business owner doesn't know much about this,
so where would they go to find help?

Merkow: Typically, the
systems and architectures needed to do this safely are too
expensive for most small businesses until they become a
medium-sized business, and then the volume makes it worthwhile.
Their best bet is to work their way into a commerce service
provider (CSP), such as IBM Global Services, UUNET and Exodus, that
does this for many different companies and does it very well.

Entrepreneur.com: How do you
protect against potential threats to your system?

Merkow: There are common
ways to protect against them using up-to-date intrusion detection
systems, for example. They record signatures or patterns of known
threats and vulnerabilities, and any time they come in through the
routers they're detected by the system. The system either
notifies somebody that they're under attack or simply shuns
those network packets coming in from the source and prevents that
particular attacker from doing any damage because it kills their
connection as soon as they try to do it.

Virus protection is also crucial. With the Internet, a lot of
times people are finding different ways of delivering payloads for
viruses. Through JavaScript, you can force somebody to download
something or convince them that they absolutely have to have this
particular program and it turns out to be Trojan horse.

Some companies route their e-mail through a value-added network;
IBM Global Services and Worldtalk provide this option. They'll
scan incoming messages for you before they get into your mail
servers and quarantine questionable messages.